Rules Contributing to Suspicious Access Attempt to Windows Object Alerts
The following rules are used to identify suspicious activity with Access Attempt to Windows Objects. Any one or more of these will trigger Suspicious Access Attempt to Windows Object Alert. Details for each rule can be viewed by clicking the More Details link in the description.
|
Title |
Description |
|---|---|
|
SysKey Registry Keys Access |
Detects handle requests and access operations to specific registry keys to calculate the SysKey |
|
Sysmon Channel Reference Deletion |
Potential threat actor tampering with Sysmon manifest and eventually disabling it |
|
Suspicious Teams Application Related ObjectAcess Event |
Detects an access to authentication tokens and accounts of Microsoft Teams desktop application. |
|
Processes Accessing the Microphone and Webcam |
Potential adversaries accessing the microphone and webcam in an endpoint. |
|
Azure AD Health Service Agents Registry Keys Access |
This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS). Information from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation). This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\SOFTWARE\Microsoft\ADHealthAgent. Make sure you set the SACL to propagate to its sub-keys. |
|
Azure AD Health Monitoring Agent Registry Keys Access |
This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent. This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent. |
|
WCE wceaux.dll Access |
Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host |
|
Secure Deletion with SDelete |
Detects renaming of file while deletion with SDelete tool. |
|
Windows Defender Exclusion Set |
Detects scenarios where an windows defender exclusion was added in registry where an entity would want to bypass antivirus scanning from windows defender |
